Cloudsweeper Project Estimates Your Inbox's Worth to Criminals

By Robert Lemos |
Posted 2013-07-05

People who have ever wondered why online criminals would want to gain access to their email accounts now have a way to find out: Two researchers at the University of Illinois at Chicago have created an online service that checks a person's Gmail account for sensitive information, offers to encrypt the information and then estimates how much access to the account would be worth on the black market.

The service, called Cloudsweeper, sifts through a person's inbox looking for password-reset or account-recovery emails as well as other sensitive account information. If it finds clear-text passwords, the service will offer to encrypt them. Then, the service will use current prices found on black-hat forums to put a price on the user's inbox.

Most people do not consider how much they rely on a single email address for the security of their other accounts, Peter Snyder, a Ph.D. student in computer science at the University of Illinois at Chicago and the primary lead on the Cloudsweeper project, told eWEEK.

"The fact that your one email account, in reality, can give someone access to a hundred other accounts really catches people by surprise," Snyder said.

While the use of easy-to-guess passwords and the reuse of a single password across multiple accounts are the major threats to the security of online accounts, criminals are increasingly finding ways to abuse the account-recovery options of online services. In June 2012, attackers intent on taking control of Web-infrastructure firm CloudFlare rerouted the CEO's voice mail and then used his Gmail account recovery to reset corporate passwords. While the company reacted quickly, the attackers gained access to sensitive corporate accounts before CloudFlare regained control.

Cloudsweeper evolved from a simple script originally created by Chris Kanich, an associate professor at the University of Illinois at Chicago, who had initially written a small Python program to search inboxes for passwords and delete the sensitive codes. In September 2012, Snyder worked with Kanich to turn the script into a service, later adding the ability to encrypt the passwords. In March, the researchers began adding the capability to value the potential access to each account, which went live June 26.

While the average user may have little to fear from attackers targeting their personal email accounts, the idea of the Cloudsweeper project is to help users determine how much they rely on a single email address, Snyder said. The idea of putting a value on people's account has boosted the project's popularity. In the week since the group launched the feature, more than 25,000 people have signed up.

The service does require the user to trust Snyder and Kanich, since their script has access to the user's email account. However, the Cloudsweeper script uses the open standard for authorization (OAuth) to access accounts, and the user can revoke access at any time. In addition, the research project is listed in the University of Illinois at Chicago's human research protocol database as UIC IRB 2012-0774, providing additional checks on the authenticity of the program.

"At the end of the day, we have to rely on the user trusting us," Snyder said.

While it's not required to use the service, the researchers also ask users to opt in to some anonymous data collection. The researchers plan to study the password habits of other online services. While Cloudsweeper only works with Gmail at the moment, the researchers may create similar services for Yahoo, Windows Live Mail or other services, Snyder said.